---------- Forwarded message ----------
From: Henry Story <henry.story@gmail.com>
Date: Tue, Aug 10, 2010 at 4:04 AM
Subject: Re: [foaf-protocols] Multiple URIs in SAN extension
To: Reto Bachmann-GmÃ¼r <me@farewellutopia.com>
Cc: foaf-protocols@lists.foaf-project.org
On 10 Aug 2010, at 09:11, Reto Bachmann-GmÃ¼r wrote:
> My latest draft, which I think you pulled mandates exactly one URI.
>
> I don't know about reasons or avantages of having multiple uris.
One can have multiple URIs in a SAN that is a fact of X.509. We don't know
what the advantages may be of having multiple. So unless we can prove that
it is illogical, we should not mandate having only one.
Furthermore I think there is a case to be made for having multiple URIs in a
SAN for failover.
The way to deal with it is furthermore very simple.
For every URI wid1, wid2, wid3, ... for which the WebID proof works it is
true that
pkey cert:identity wid, wid2, wid3 ...
since cert:identity is (well it should be) an owl:functionalProperty, it
follows that
wid = wid2 = wid3 = ...
This is useful for the RelyingAgent to know, as if at a later date one of
those
fails to be dereferenceable it can use the others.
Note that though this does give the user failover protection, it also
increases
the number of ways he can be attacked.
But it is not that easy to create one X509 cert with many WebIDs in it, if
it is not somehow coordinated by the same service, so there is reason to
think that when it is used, it is used conscientiously.
Henry